Scumware targets AA !

[MickeyTheMan]

It has come to our attention that the RadLight 3.03R5.2 (by Radlight)
software intentionally tries to uninstall Ad-aware components from your system, without requesting your permission or knowledge.

After reports from concerned users, our tests have shown that the Radlight
software indeed checks for the default Ad-aware installation path, and then removes
all files that are not currently in use, upon its first execution.
Until now, such a malicious behaviour was commonly known for viruses and trojans.

It does not slip through Ad-watch, or hides from the Ad-aware scanner,
Radlight is not (yet) targeted by Ad-aware or Ad-watch.

It performs an silent uninstall of the Ad-aware components, including desktop shortcuts and startmenu items.

This is not a bug in the RadLight software, it is intentionally uninstalling
Ad-aware, with the only purpose to make your system attainable for further malware installation.

And af this wasn't enough, the Radlight software is bundled with WhenU's SaveNow software, a well known data mining company.
If Ad-watch is running, it will correctly prevent the installation of Savenow.
If neither Ad-aware or Ad-watch is active, they both will be uninstalled through the Radlight software upon its first execution.

A fix is in progress, and we feel its necessary to add Radlight to the AAW target list.
This is malware at it worst.

Team Lavasoft

Urizen

[javacool]

That's a really horrible thing for a program to do.

Unfortunately, I am surprised it didn't happen sooner - but I'm sure many people figured that luck would run out soon enough.

I'm glad to know you're working on a fix - good luck on a quick release!

Also, minor question: What does the RadLight software do, and where (and/or why) would someone obtain it? (Mainly asked for my own testing purposes.)

TIA.

-javacool

UPDATE: Nevermind on the "where would someone obtain it" question - a simple .com address does the trick. *

[Ann]

Hi javacool

RadLight 3.03R5.2 is a media player and can be found at
http://www.radlight.net

Ann Christine Åkerlund
bee@lavasoft.de

[spy1]

I think they need some email, don't you?

davenger@radlight.net <davenger@radlight.net>

(Of course, they know, this means W-A-R!!! ). Pete

[Paul Wilders]

Posted the same on "privacy software" - apologies for the unintended cross posting.

That said: I fully agree with javacool: it does not surprise me at all - and it probably is just the beginning.

The method used here is a simple and quite straight forward one: any AA user will notice immediately. Chances are, AA will be targetted and put out of business like lots of security software is: only altering - the way it seems all works as it should, but in fact putting the app dead or not targetting certain spyware.

IMHO a pro-active coding is needed here in regard to AA. That's a hugh effort. Nevertheless, IMO a needed one. Better stay ahead than acting reactive.

regards.

paul

[spy1]

"'davenger', huh? (<g>)
* *The best possible interpretation I can put on your insane move to disable the AdAware program is that you're looking for publicity (which, unfortunately, you'll get more of than what you want).
* *If a suitably short enough period of time passes and you do not cease and desist from this pratice, I hereby promise you that I will organize a class action suit by Lavasoft users against your company and your person which will result in your total destruction as a corporate entity and leave the next two generations of your children scurrying to finish paying off the judgement against you.
* *Have a nice day.

Pete Yevchak (spy1 Global Mod @ http://www.security-pro.co.uk/yabb/YaBB.pl"

Everyone please feel free to copy and paste that (or something similar), adding your name to it to let them know that you'll be part of the suit.

Mine's already sent. Pete

*And here's the link for cnets' 'Feedback' form - I urge everyone to fill out and send one of those, too!

http://download.com.com/1200-20-750060.html?tag=subnav

[javacool]

Quote:

"'davenger', huh? (<g>)
* *The best possible interpretation I can put on your insane move to disable the AdAware program is that you're looking for publicity (which, unfortunately, you'll get more of than what you want).
* *If a suitably short enough period of time passes and you do not cease and desist from this pratice, I hereby promise you that I will organize a class action suit by Lavasoft users against your company and your person which will result in your total destruction as a corporate entity and leave the next two generations of your children scurrying to finish paying off the judgement against you.
* *Have a nice day.

Pete Yevchak (spy1 Global Mod @ http://www.security-pro.co.uk/yabb/YaBB.pl"

Everyone please feel free to copy and paste that (or something similar), adding your name to it to let them know that you'll be part of the suit.

Mine's already sent. Pete

Will do - *

BTW, Just a thought - Wouldn't it be possible to make a program to watch the AdAware files for deletion or even tampering? i.e. a small memory-resident app you could either run when you installed applications, or all the time, if you wanted.

Side note - That program probably wouldn't be too hard to make. If anyone has an interest, I could always whip one up really quick (probably only 10 kb or so, too).

Just a thought. (That program probably wouldn't be much use to AdAware Plus users, though - since they have the resident scanner, but just a thought.)

[TonyKlein]

This is just unimaginable! *

I've just posted this Lavasoft notification at VirtualDr, Winguides.com, and TSG Forums, as well as on a couple of boards here in Holland.

Everyone ought to be warned.

[discogail]

Radlight has a discussion forum. This topic is being discussed there too.
RadLight.NET Forum.....http://216.194.92.96/phpBB2/viewtopic.php?t=215

[Mike_Healan]

LOL Pete.
As a LS mod, I think I should stay out of it, but anyone else, please, contact them and warn them they're up against a company that will NOT back down.

We appreciate the support everyone. I know there's some harsh words for us when one of our new releases cause some..... ermm... "unexpected troubles", but it's good to know we have your support nevertheless.

[Paul Wilders]

all good security and anti-spyware software will be supported *by us, our mods and members. All in all, it's fighting a common enemy, and that's what counts in the end.

regards.

paul

[discogail]

CNet has pulled it.......
"This title is no longer available!

The program you've requested, "RadLight", is not available for download at this time"

Still available at Simtel http://www.simtel.net/pub/pd/55443.html
Simtel discussion forum.....http://forum.simtel.net/ubbthreads/ubbthreads.php
Email........bdickson@digitalriver.com <bdickson@digitalriver.com>
***Apparently filters have messed with the email address. LOL.....bthingyson should be bd*i*c*kson...remove asterisks

[spy1]

Thanks, DG! I feel the need to email! Pete

[javacool]

I've released a small application to hopefully deal with this problem.

Details here: http://www.security-pro.co.uk/yabb/Y...32173;start=0;.

* * * * *COPY OF SENT




* * *
* * * * * * * * * RE: *Radlight 3.02R.2



* * * *TO: * B. Dickson

* * * * * * *please be herewith advised that Radlight 3.03R3 has
* * * * * * *been positively identified as a program that performs
* * * * * * *illegal operations.....the dis-installing of legally
* * * * * * *obtained and copyrighted computer software installed
* * * * * * *on personal/busness computers.
* * * * * *
* * * * * * *all parties associated with the distribution of Radlight
* * * * * * *3.02R.2 should seriously consider if such association
* * * * * * *will also associate them in whatever pending legal actions
* * * * * * *that may ensue.

* * * * * * * * * * * * * * * * *respectfully *submitted

* * * * * * * * * * * * * * * * * *(snipped)
* * * * * * *

[Blacksheep]

Simtel is now aware of RadLight *problem*:

http://forum.simtel.net/ubbthreads/showflat.php?Cat=&Board=looking&Number=2132&page=0&view=collapsed&sb=5&o=&fpart=1&vc=1

* * * *seems like I picked-up a hitchhiker.....somewhere after leaving here to the radlight site...my email site...and two other sites......

* * * after noticing on of those behind the window pop-ups....an pop-ups wont pop on my computer LOL *I became curious......checked my windows temp....an sure as gravy covers rice I found a download... *



* * * GLB1A2B * * *application

* * * 112 kb



* * * most all day yesterday I was installing M$ patches....an this afternoon installed some previously download programs.........so this may all be very innocent...........however, *I also clean and defrag my computer after each install..........an don't see how this would have been left behind....

* * * *unfortunately I forgot to disable "download files" in the internet zone.........so its possible that a forced download was made......an there was that "box" behind window...........an I did check out radlight......

* * * *this whatever it is in the temp folder is of no concern to me...it can't install on my computer......if by a miracle I picked up a copy of whatever is un-installing adware.....it may be useful.....but I certainly can't say thats what this application is....it may be nothing.

* * * * I'll say awake for alittle longer to see if anyone is interested...if not I will delete it.....


* * * * * * * * * * * * * * * snowman

* * * *the file resembles * a small box next to a waste paper basket.............something along the lines of what the recycle bin appears like......but with a small box nest to it...



* * * * * * * * * * * * * * *snowman

[Mike_Healan]

mike@spywareinfo.com

I'll take a look.

* * * * after further consideration...this makes no sense....the program that un-installs adaware is bundled in radlight.......so I can't see how this would be related

* * * *my apology.......



* * * * * * * * * * * * * * * * * * * *snowman

* * * * MIKE


* * * * do you still want me to send it?? * I'll be happy to do so..


* * * * * * * * * * * * * snowman

[TonyKlein]

Quote:

Quoting Snowman:

after noticing on of those behind the window pop-ups....an pop-ups wont pop on my computer LOL *I became curious......checked my windows temp....an sure as gravy covers rice I found a download... *

* * * GLB1A2B * * *application

If I remember well, GLB1A2B has been known to be put in your Windows\temp folder when you install Ad-Aware.

You'll find it in your Wininit.ini, and it will therefore show in your Wininit.bak after reboot.

Take a look at this thread, two thirds down: http://www.lurkhere.com/forum768.html

So maybe let's not get carried away unduly...

Cheers, *Tony

* * * *Tony

* * * * I agree about not getting carried away.....an that may be just as well cause I can't get this thing into my e mail...in order to forward......it keeps trying to open!!!!


* * * an for adaware....I installed it weeks ago.....have cleaned my tempt folder a dozen times since......I did run adaware within the past twenty four hours....

* * * * anyways..since it wont go into the e mail....I'll just delete it.....oh, I even tryed putting it into "zip:


* * * * hope this wasn't a bother to anyone.....thank you for your time.

* * * * * * * * * * * * * * snowman

[TonyKlein]

Hi Snowman,

No prob!

It'll certainly serve to reassure others that may be asking themselves the same question.

I know I've seen this item popping up in StartLogs many times myself, *and have always wondered what it was, until Mo accidentally discovered it was created by Ad-Aware.

Cheers, *Tony

* * * * Tony

* * * * thanks for the advisory......this certainly was a new one for me....I am still rather confused...but placing my trust in you on this.

* * * * what confused me was that its a 162 kb application.....an it kept trying to open whenever I made an attemp to move it....

* * * *but no problem..its deleted....system cleaned completely...checked for possible virus/trojan..etc.

* * * *was an interesting experience.....I have never sent an attachment by e mail....in fact have only used e mail less than ten times over several years.....seems I will need to learn how to use it properly......talk about going back to the basics........LOL


* * * * * * * * * wishing you well

* * * * * * * * * *snowman